Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Windows UAC Bypass Leaves Systems Open to Malicious DLLs

Launching a BypassUAC attack just got a bit easier with a new Windows User Account Control bypass technique that can fly under the radar of security solutions that monitor for this type of circumvention.

Researchers have crafted a stealthy new way of bypassing Windows User Account Controls (UAC) that opens the door to attacks on targeted systems. According researchers, the bypass technique can fly under the radar of security solutions that monitor for this type of circumvention.

The UAC bypass technique works on Windows 10 systems, and as opposed a number of other UAC bypasses techniques, this one does not raise red flags because it doesn’t rely on a privileged file copy or code injection, according to Matt Graeber and Matt Nelson who found the workaround and outlined it in a technical breakdown on the Enigmaox3 website.

As the name implies, a User Account Control bypass, allows a Windows users to bypass technical restrictions associated with their Windows account preventing them from changing system settings and adding and removing programs. Windows UAC is a type of security policy setting also designed to prevent malware or malicious software from installing itself on a PC.

But Microsoft doesn’t view bypassing the UAC as a security vulnerability, despite doing so is a common tactic employed by attackers who wish to gain administrative privileges on targeted PCs in conjunction with surreptitious malware infections.

Graeber and Nelson have managed to bypass UAC using a complex, multistep process that ultimately allows attackers to have systems with the lowest privileges to execute malicious DLLs.

“After investigating some default Scheduled Tasks that exist on Windows 10 and their corresponding actions, we found that a scheduled task named ‘SilentCleanup’ is configured on stock Windows 10 installations to be launchable by unprivileged users but to run with elevated/high integrity privileges,” wrote Nelson.

SilentCleanup is a Windows process that works with the common Windows utility called Disk Cleanup or Cleanmgr.exe. “Taking a closer look… we found that the actual process started by the scheduled task, cleanmgr.exe, auto-elevates due to ‘execute with highest privileges’ being set in the task configuration,” wrote Nelson.

What both researchers observed next was when the Disk Cleanup utility was launched it created a new folder (GUID in “C:\Users\<username>\AppData\Local\Temp”) where it copied several DLLs along with “dismhost.exe” into the new folder. Dismhost is a function of Windows tied to maintaining custom Windows OS images.

“Since dismhost.exe launches out of “C:\Users\<username>\AppData\Local\Temp\<guid>”, it begins to load DLLs out of the same folder in a certain order. Because the current medium integrity user has write access to the user’s %TEMP% directory, it is possible to hijack a DLL loaded by dismhost.exe and obtain code execution in a high integrity process. This is commonly known as a ‘BypassUAC’ attack,” Nelson wrote.

Using this knowledge, Graeber and Nelson were able to swap in a specific DLL before the dismhost.exe process loaded it. The technique could be used to load any specially crafted DLL (malicious or otherwise).

“This was disclosed to Microsoft Security Response Center (MSRC) on 07/20/2016. As expected, they responded by noting that UAC isn’t a security boundary, so this doesn’t classify as a security vulnerability,” Nelson wrote.

Because this type of BypassUAC attack does not require any process injection, that would get flagged by security software, it can avoid detection.

“There is no privileged file copy required. Most UAC bypasses require some sort of privileged file copy in order to get a malicious DLL into a secure location to setup a DLL hijack. Since the scheduled task copies the required stuff to %TEMP%, no privileged file copy is required,” Nelson wrote.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.